2018-09-30 09:25:02

by Stefan Seyfried

[permalink] [raw]
Subject: SIOCGIWRATE (and others) leaking SLAB (kmalloc-2048)

Hi all,

I'm running the openSUSE provided latest rc kernels and found, that
after 2 weeks, about 4GB of memory had leaked into kmalloc-2048.
Investigating with trace-cmd lead me to the gkrellm-wifi plugin, which
periodically polls via wireless extension ioctls.

This is an easy to use reproducer:

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <linux/wireless.h>
int main(int argc, char **argv)
{
struct iwreq request;
int fd;
if (argc < 2) {
fprintf(stderr, "usage: %s <interface>\n", argv[0]);
return 1;
}
fd = socket (AF_INET, SOCK_DGRAM, 0);
if (fd < 0) {
fprintf(stderr, "Could not open socket: %m\n");
return 2;
}
strncpy (request.ifr_name, argv[1], IFNAMSIZ);
for (int i = 0; i < 10000; i++)
if (ioctl (fd, SIOCGIWRATE, &request) < 0)
fprintf(stderr, "ioctl: %m\n");
close (fd);
return 0;
}

http://paste.opensuse.org/75377254

# grep ^kmalloc-2048 /proc/slabinfo
kmalloc-2048 168090 168106 2048 2 1 : tunables 24 12 8 : slabdata 84053
84053 0
# ./leak air
# grep ^kmalloc-2048 /proc/slabinfo
kmalloc-2048 178086 178086 2048 2 1 : tunables 24 12 8 : slabdata 89043
89043 0

The same happens with SIOCGIWSTATS and when reading /proc/net/wireless:

#!/bin/bash
for ((i=0; i<10000; i++)); do
while read line; do :; done < /proc/net/wireless
done

Thie lets me suspect an issue with rdev_get_station, but OTOH "iw air
station dump" which I think also calls rdev_get_station via
nl80211_get_station() does not seem to leak.

I did not see this with 4.18, I have noticed this with 4.19-rc3 after 13
days and still see it with -rc5.

Best regards,

Stefan
--
Stefan Seyfried

"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman


2018-09-30 09:44:00

by Stefan Seyfried

[permalink] [raw]
Subject: Re: SIOCGIWRATE (and others) leaking SLAB (kmalloc-2048)

Am 30.09.18 um 11:24 schrieb Stefan Seyfried:
> Hi all,
>
> I'm running the openSUSE provided latest rc kernels and found, that
> after 2 weeks, about 4GB of memory had leaked into kmalloc-2048.
> Investigating with trace-cmd lead me to the gkrellm-wifi plugin, which
> periodically polls via wireless extension ioctls.
>
> This is an easy to use reproducer:
> [...]
>
> http://paste.opensuse.org/75377254
>
> # grep ^kmalloc-2048 /proc/slabinfo
> kmalloc-2048 168090 168106 2048 2 1 : tunables 24 12 8 : slabdata 84053
> 84053 0
> # ./leak air
> # grep ^kmalloc-2048 /proc/slabinfo
> kmalloc-2048 178086 178086 2048 2 1 : tunables 24 12 8 : slabdata 89043
> 89043 0
>
> The same happens with SIOCGIWSTATS and when reading /proc/net/wireless:
>
> #!/bin/bash
> for ((i=0; i<10000; i++)); do
> while read line; do :; done < /proc/net/wireless
> done
>
> Thie lets me suspect an issue with rdev_get_station, but OTOH "iw air
> station dump" which I think also calls rdev_get_station via
> nl80211_get_station() does not seem to leak.

trace-cmd gives this for the above script:

%99.28 (15289) leak.sh kmalloc #10001
|
--- *kmalloc*
kmem_cache_alloc_trace
cfg80211_sinfo_alloc_tid_stats
sta_set_sinfo
ieee80211_get_station
cfg80211_wireless_stats
wireless_dev_seq_show
seq_read
proc_reg_read
__vfs_read
vfs_read
ksys_read
do_syscall_64
entry_SYSCALL_64_after_hwframe

("trace-cmd record -T -e kmalloc -f bytes_alloc==2048", then run the
script, then "trace-cmd hist trace.dat")

This points me to sta_set_sinfo and then to commit

commit 0fdf1493b41eb64fc7e8c8e1b8830a4bd8c4bbca
Author: Johannes Berg <[email protected]>
Date: Fri May 18 11:40:44 2018 +0200

mac80211: allocate and fill tidstats only when needed

This fixes memory leaks in the case where we just have the
station info on the stack for internal usage without sending
it to cfg80211.

which seems to be incomplete

> I did not see this with 4.18, I have noticed this with 4.19-rc3 after 13
> days and still see it with -rc5.

Looking at the commit, the bug might have been already in 4.18, which
I'm trying to confirm right now.
--
Stefan Seyfried

"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman

2018-09-30 09:51:23

by Stefan Seyfried

[permalink] [raw]
Subject: Re: SIOCGIWRATE (and others) leaking SLAB (kmalloc-2048)

Am 30.09.18 um 11:43 schrieb Stefan Seyfried:
> Looking at the commit, the bug might have been already in 4.18, which
> I'm trying to confirm right now.

4.18.8 (which was easily available to me prebuilt) has the same problem.
--
Stefan Seyfried

"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman

2018-09-30 10:59:15

by Stefan Seyfried

[permalink] [raw]
Subject: Re: SIOCGIWRATE (and others) leaking SLAB (kmalloc-2048)

Am 30.09.18 um 11:50 schrieb Stefan Seyfried:
> Am 30.09.18 um 11:43 schrieb Stefan Seyfried:
>> Looking at the commit, the bug might have been already in 4.18, which
>> I'm trying to confirm right now.
>
> 4.18.8 (which was easily available to me prebuilt) has the same problem.

I think I found and fixed the problem, see
[PATCH] cfg80211: fix wext-compat memory leak

Best regards,

Stefan
--
Stefan Seyfried

"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman